[JIRA] (JENKINS-32778) Jenkins plugin installation path traversal vulnerability
Title: Message Title Daniel Beck resolved as Fixed Fixed in 2.120. Jenkins / JENKINS-32778 Jenkins plugin installation path traversal vulnerability Change By: Daniel Beck Status: Reopened Resolved Resolution: Fixed Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32778) Jenkins plugin installation path traversal vulnerability
Title: Message Title SCM/JIRA link daemon commented on JENKINS-32778 Re: Jenkins plugin installation path traversal vulnerability Code changed in jenkins User: aviadatsnyk Path: core/src/main/java/hudson/FilePath.java http://jenkins-ci.org/commit/jenkins/8ede53387ec060a7c343e32efe808b1016f0c10c Log: JENKINS-32778 - Prevent extracting archived plugins outside of target path (#3402) *NOTE:* This service been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/ Functionality will be removed from GitHub.com on January 31st, 2019. Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[JIRA] (JENKINS-32778) Jenkins plugin installation path traversal vulnerability
Title: Message Title Oleg Nenashev reopened an issue Reopening since we agreed to merge https://github.com/jenkinsci/jenkins/pull/3402 It is not considered as a security defect tho Jenkins / JENKINS-32778 Jenkins plugin installation path traversal vulnerability Change By: Oleg Nenashev Resolution: Not A Defect Status: Resolved Reopened Add Comment This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to
[JIRA] (JENKINS-32778) Jenkins plugin installation path traversal vulnerability
Title: Message Title Jesse Glick resolved as Not A Defect consider a new feature that allowed an administrator to upload an 'skin' package that changed colors, logos, style sheets, etc. Such a package wouldn't run any code after installation, but depending on the implementation it may reuse this code that unpackages 'jar'/'zip' files. I would not recommend that such a feature be created, but if it were (as a plugin on the update site), it would be the responsibility of the plugin author to ensure that all submitted ZIP files were treated as potentially malicious and the contents checked accordingly. If and when such a feature is created and the author is negligent about security and someone discovers this, file a SECURITY report and the plugin can be either fixed or blacklisted. Jenkins / JENKINS-32778 Jenkins plugin installation path traversal vulnerability Change By: Jesse Glick Status: Open Resolved Resolution: Not A Defect Add Comment